In this post we will review a general authentication service: why is it required, and how is it used.
In the old times, when an organization has only one or very few internal systems, each system had its own users repository. The organization IT team had configured the users on each related system, using the related system management tools.
As the technology penetrated more into wider areas, the amount of the organization internal systems had increased, and so upon each change in the organization employees, the organization IT team had to manually update the users repository in each system.
Not only this, but the complexity of the user authentication had increased as a mean to protect from malicious account takeover. Other factors were added to the authentication requirements. This includes multi factor authentication such as an SMS to the employee mobile phone, and authentication applications on the employee mobile phone,. In addition password strength restrictions, such as minimum length, passwords history, and password complexity should be enforced.
Due to these changes and requirements, the organization IT could not longer manage the organization internal systems in a timely fashion. The solution to this issue was the authentication service.
The authentication service is a central system where the users repository is held. It manages the security requirement for the users: password strength, multi factor authentication and more.
The internal systems no longer hold a users repository, but instead, access the authentication service to verify the user login.
The following diagram explains the steps of the a user login when an authentication service is used.
Step 1: Login without a Token. The end user accesses system A.
Step 2: Redirect. System A identifies there is no token in the request, and hence redirects the end user to the authentication service.
Step 3: Login. The end user logins into the authentication service. The authentication service enforces all security measures required, such as MFA, and password strength.
Step 4: Token. Once the login is success, the authentication service generates a token for the user. This token is kept in the authentication service for a pre configured limited time. The token is returned to the end user.
Step 5: Login with a Token. The end user accesses system A, but this time, the token is send in the request header.
Step 6: Validate Token. System A validates the token with the authentication service.
Step 7: User. The authentication service, finds the token that was previously saved, and returns the actual user name to system A.
Final Notes
In this post we have reviewed the operation of a general authentication service.
Once an authentication service is integrated into the organization, the next step is to provide a single sign on capability. This is possible since the token that was created as part of a login to one organizational system, can be used by another system, without a need to login again.
No comments:
Post a Comment